WordPress.org

Ready to get started?Download WordPress

Forums

Built in Brute Force prevention (20 posts)

  1. wp3zzz
    Member
    Posted 1 year ago #

    I host several websites and really appreciate how awesome wordpress is. Lately I am noticing numerous brute force attempts to log in to these sites. I know there are plugins that can prevent this (one of them screwed up an MU install for me last week) but I wonder; why isn't this built in? Limit users to 1 request per 5 or 10 seconds or so, that would probably be a big help!

    thank you

  2. chaoix
    Member
    Posted 1 year ago #

    I second this request.

    To elevate the problem in the meantime you can:

    1. Add this code to your functions.php to make brute forcing more difficult:
      // removes detailed login error information for security
      	add_filter('login_errors',create_function('$a', "return null;"));
      
      	// removes the WordPress version from your header for security
      	function wb_remove_version() {
      		return '';
      	}
      	add_filter('the_generator', 'wb_remove_version');
    2. Change the default admin account in your WordPress installs to something other than "admin"
  3. WPyogi
    Volunteer Moderator
    Posted 1 year ago #

  4. paulwpxp
    Font hero
    Posted 1 year ago #

    I know there are plugins that can prevent this (one of them screwed up an MU install for me last week) but I wonder; why isn't this built in? Limit users to 1 request per 5 or 10 seconds or so, that would probably be a big help!

    That's exactly the point.

    Of course, there are plugins for this, but WP by default should come with some level of protection regarding this.

  5. Limit users to 1 request per 5 or 10 seconds or so, that would probably be a big help!

    Two major reasons:

    1) We would catch a LOT of people complaining they got locked out of their blogs, without any idea how to un-block themselves. Remember, there are a lot of non-techs who use WP.

    2) Blocking there is 'too late.' Any time you're using a plugin pr WP code to throttle this sort of attack. This is something a server should be protecting you from (the brute force part, not the secure password part).

  6. wp3zzz
    Member
    Posted 1 year ago #

    1) if they're blocked for 5 seconds, they won't be locked out. If they think they are, tell them to "try again now".

    2) What do you mean the server should be protecting you, how does it know a legitimate login request from a non? WordPress itself is processing the login request. It could fairly easily do something to lock itself for 5 seconds before processing the next request.

  7. esmi
    Forum Moderator
    Posted 1 year ago #

    The server processes the request before WordPress gets to it. Any server that's seeing the kind of traffic that is part of a brute force attack should be triggering its own protection.

  8. wp3zzz
    Member
    Posted 1 year ago #

    >"server processes the request before WordPress gets to it."

    I think there is some confusion here. WordPress itself (the wp-login.php script) processes login requests and this is what bogs down the server.

    >"should be triggering its own protection"

    what is the nature of the protection you're talking about; is there a name for it and how do we install / configure that? Please provide a link or some information about this?

    thanks!

  9. Andrew
    Forum Moderator
    Posted 1 year ago #

    When someone calls the the wp-admin URI, the following happens:
    1. A call is made to the server.
    2. The server decides what to do with the call.
    3. The server returns the wp-login.php script.
    4. The user views the wp-admin page.

    So, Esmi was pointing out at step 1 there should be some sort of security measure that that the hosting providers should implement.

    Whereas you're suggesting step 4.

  10. esmi
    Forum Moderator
    Posted 1 year ago #

    WordPress itself (the wp-login.php script) processes login requests and this is what bogs down the server.

    During a brute force attack, that's too late. Ideally you need to stop these attacks as early as you possibly can to reduce the load on the server.

    what is the nature of the protection you're talking about

    There are a couple of ways you can stop the attackers before wp-login.php has to process the request. We've been trying to catalogue some of them in Brute_Force_Attacks. Personally, I've opted to limit access to wp-admin by IP on the sites I manage but that might not suit everyone.

  11. wp3zzz
    Member
    Posted 1 year ago #

    Thanks Andrew - what sort of security measure should the hosting provider implement; is there a name or a specific product that can tell this brute force attack on wordpress from a legitimate request?

  12. wp3zzz
    Member
    Posted 1 year ago #

    OK thanks Esmi - so if I'm understanding, the developers don't offer this built-in (the option to limit access to wp-admin by IP) because too many people will lock themselves out?

    Again it really seems that limiting the login requests to 1 per X seconds would alleviate what I've been seeing. So I'd like to continue to request that.

    Edit: Request that developers incorporate this plugin or similar into main wordpress: http://wordpress.org/extend/plugins/limit-login-attempts/

    thanks!!

  13. esmi
    Forum Moderator
    Posted 1 year ago #

    because too many people will lock themselves out?

    A lot of people would certainly forget that they'd limited access by IP and then complain bitterly here. :-) But mainly, this is very site specific and needs to be set up manually to suit each site's users. For example, you could never use this on a multisite install. Or on a site with lots of authors. So you cannot provide any kind of default in WP core as part of an install. Plus, some people are using Windows servers and don't have an .htaccess file.

    it really seems that limiting the login requests to 1 per X seconds would alleviate what I've been seeing

    I disagree. I think these botnets would just continue hammering away. You might relieve the problem a little but you wouldn't make much of a dent in the overall effect.

  14. wp3zzz
    Member
    Posted 1 year ago #

    The goal of my request isn't to prevent the brute force attempts themselves (which of course would be nice) but to prevent servers from getting overloaded by them, and in that regard I believe it will alleviate what I've been seeing. I'm going to give that plugin a try.
    Thanks for the links and info!

  15. esmi
    Forum Moderator
    Posted 1 year ago #

    Are you hosting your own server(s)?

  16. The goal of my request isn't to prevent the brute force attempts themselves (which of course would be nice) but to prevent servers from getting overloaded by them

    I do that by using ModSecurity or .htaccess. In both cases, I check based on behavior to see if the person should ever get access to wp-login.

  17. The goal of my request isn't to prevent the brute force attempts themselves (which of course would be nice) but to prevent servers from getting overloaded by them, and in that regard I believe it will alleviate what I've been seeing. I'm going to give that plugin a try.
    Thanks for the links and info!

    If you are trying to reduce load on your servers that plugin is going to make load worse during a brute force attack. The main problem is that the attacks come from multiple IP addresses usually around 10 or 12 per IP then they hit you from another IP. Limit login attempts locks out an IP after a set number of failed attempts but wont't protect you from the next 10 tries from another IP.

    It also stores the IPs as a serialized array and everytime a failed request is made it requires a call to the database and PHP resources to unserialize the data then serialize and write back to the db.

    I think blocking No-Referrer requests via the web server either Apache or Nginx is the best way to prevent the attempts. The bots don't normally get to wp-login.php via a redirect from /wp-admin, they usually hit wp-login.php directly with a POST request containing the username and password attempt. If you block direct access without a referrer it stops the attempts.

    You can also do this via PHP and WordPress but every attempt will still load the WordPress bootstrap.

  18. chaoix
    Member
    Posted 1 year ago #

    Ok the point of code changes like this isn't to prevent the attack entirely, it's to slow down the attack to give time for a server admin to respond to the problem before the site has been hacked.

    Just so everybody knows, most shared LAMP hosting won't prevent non-intrusive brute force attack that is done slowly and in non-working hours.

    I believe adding a OPTION to wordpress to limit the number of log in attempts in a given time that is not turned on by default would be very useful. That option used in conjuction with the removing login error code I posted previously would completely prevent a brute force attack.

  19. wp3zzz
    Member
    Posted 1 year ago #

    Thanks chaoix. It's only because our servers were running slow and getting hit by the same ip addresses over and over that I had to look into this. Blocking the individual ip addresses got things under control on more than one occasion over the past few weeks.

  20. chaoix
    Member
    Posted 1 year ago #

    Cool. If you manage your own server running WHS/Cpanel, you can install a nice iptables/firewall add on to help you handle these types of situations as well.
    http://configserver.com/cp/csf.html

Topic Closed

This topic has been closed to new replies.

About this Topic